Seek out vendors with monitored
certifications
Many cloud service providers claim they are
certified for one type of compliance or another, but that doesn’t necessarily
mean that they truly support a regulation in their current state. John Sloan,
lead research analyst at Info Tech Research Group (www.infotech.com), says that in some cases
“there’s been an independent audit and the data center where the cloud service
is hosted has a signed attestation saying that when it was audited, it met all
of the requirements to be complaint with that framework.” Although this is a
good thing, Sloan says the audit could have been performed two months ago or
two years ago, which may not be enough to give you peace of mind.
The
data center that will be hosting your data
If you want to make sure the data center
that will be hosting your data is up-to-date with its certification, then you
need to make sure it has “monitored certification where the data center is
continually tested for its compliance,” says Sloan. After all, if you place
your data in the cloud believing that the data center is under compliance due
to a signed attestation but without monitored certification, “you can’t be sure
that your data is compliant,” says Sloan. For companies in specific industries,
that’s simply not an option, which is more than enough reason to seek out a
cloud vendor that updates its certification on a regular basis.
Establish proper SLAS upfront to avoid
future issues
Once you find the right provider for your
specific situation, it’s time to negotiate the terms of your partnership and
design an in-depth SLA (service level agreement) that clearly defines what you
expect from the provider. SLAs not only ensure you get everything you pay for,
but they also help you avoid potential problems down the road. Taylor says that
this is a particular concern for companies that aren’t as regulated as those
with HIPAA, SEC, or PCI standards to contend with and that unpreparedness is
common.
SLAs
not only ensure you get everything you pay for, but they also help you avoid
potential problems down the road
Taylor cites an example of a company that
isn’t federally regulated but ends up having a trade regulation that it didn’t
previously know about. The company signs with a service provider and then is
asked to prove its compliance years later. It needs a list detailing where the
data is stored and who has access to it, but the cloud provider simply replies
with, “that’s your problem, not ours.” The company hadn’t signed an SLA, so it
would now have to spend quite a bit of money to get the information the
regulator required and potentially negate any cost savings from moving to the
cloud in the first place.
That’s why Taylor says it’s so important
for the vendor to be able to tell you where the data is physically stored and
who has access to it at any given time. The provider should be able to share
that information quickly and easily. “You have to work it out ahead of time
with your cloud provider; you can’t just assume,” says Taylor. She says the
vendor needs to be able to run a report for you in case of a regulatory
request; have compliance as one of their competitive advantages over other
companies; or give you access to a self-service portal where you can run the
reports yourself. But the only way to get the guarantees you need is to develop
an SLA with your service provider that clearly lays out every detail.
Look out for better cloud standards in
the future
If you’re still concerned about storing
your data in the cloud, keep in mind that cloud vendors are always working on
new standards that will help them support sensitive information and help you
meet compliance requirements. “There are several standards that are evolving at
this point,” says Heiser. “The world is reaching a consensus on what questions
need to be answered. We shouldn’t assume it will be a quick process, but we’re
working toward it. These standards are being updated as we speak; there should
be some rolled out very shortly. Until they’ve been applied over years though,
we shouldn’t expect that they’re finished.”
Look
out for better cloud standards in the future
Not every industry has cloud standards
ready to go, but the government space does have something called FedRAMP
(Federal Risk and Authorization Management Program; www.fedramp.gov) where the cloud vendor gets
certified “in compliance with certain security and regulatory frameworks and
there’s an ongoing monitoring after that,” according to Sloan. It’s one example
of cloud providers taking compliance much more seriously, but Sloan believes
there will be plenty more developments like FedRAMP designed for other
industries in the future.
“With something like FedRAMP, a provider
has been audited and certified and all of the future companies can say, ‘if our
requirements are basically what’s in FedRAMP, then we don’t have to run our own
audit since they’ve been certified.’ It’s re-usable in that sense,” says Sloan.
“Instead of everyone having to get an audit done, that certification is
reusable and ongoing. That idea of a specific certification or standard that is
monitored and repeatable bodes well for the future. I think we’re going to see
more of that.”
